Asp.net 表单身份验证 cookie 不支持 IIS7 超时 [英] Asp.net forms authentication cookie not honoring timeout with IIS7
问题描述
身份验证 cookie 似乎在短时间(一天左右)后超时.我正在使用表单身份验证,并在 web.config 中设置了 timeout="10080" 和 slideExpiration="false".使用该设置,cookie 应在用户成功通过身份验证后大约 7 天过期.
Authentication cookies seem to timeout after a short period of time (a day or so). I am using Forms Authentication and have the timeout="10080" with slidingExpiration="false" in the web.config. With that setting, the cookie should expire roughly 7 days after the user is successfully authenticated.
这与 IIS6 所宣传的一样有效,但是当我将站点移至 IIS7 时,cookie 过期得更快.我已经在使用 IE 和 Firefox 的多台机器上确认了这种行为,这让我相信这是 IIS7 设置.
This worked as advertised with IIS6, but when I moved the site to IIS7, the cookie expires much quicker. I've confirmed this behavior on multiple machines with IE and Firefox, leading me to believe it's an IIS7 setting.
是否有特定于 IIS7 的与身份验证相关的隐藏设置?除匿名用户跟踪外,该网站的所有其他身份验证类型均已禁用.
Is there a hidden setting that is IIS7 specific related to authentication? All other authentication types are disabled for the website, except for anonymous user tracking.
推荐答案
使用本地 web.config 或全局 machineKey 值对身份验证 cookie 进行加密代码>machine.config.如果没有显式设置这样的键,将自动生成一个键,但它不会持久化到磁盘——因此,只要应用程序因不活动而重新启动或回收",它就会改变,并且将在下一次点击时创建新密钥.
The authentication cookie is encrypted using the machineKey value from the local web.config or the global machine.config. If no such key is explicitly set, a key will be automatically generated, but it is not persisted to disk – hence, it will change whenever the application is restarted or "recycled" due to inactivity, and a new key will be created on the next hit.
解决问题就像将 web.config 或可能(最好?)到 机器一样简单.服务器上的配置(未经测试):
Resolving the problem is as easy as adding a <machineKey> configuration section to web.config, or possibly (preferably?) to the machine.config on the server (untested):
<system.web>
...
<machineKey
validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"/>
...
</system.web>
Google 生成随机机器密钥可以为您生成此部分的网站.不过,如果您的应用程序处理机密信息,您可能需要自己创建密钥.
Google generate random machinekey for sites that can generate this section for you. If your application deals with confidential information, you might want to create the keys yourself, though.
这篇关于Asp.net 表单身份验证 cookie 不支持 IIS7 超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
